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Abstract 

The Code Equivalence problem is that of determining whether two given linear codes are equivalent 
to each other up to a permutation of the coordinates. This problem has a direct reduction to a nonabelian 
hidden subgroup problem (HSP), suggesting a p ossible quantum a lgorithm analogous to Shor's algo- 
rithms for factoring or discrete log. However, in iDinh et all 11201 ill we showed that in many cases of 
interest — including Goppa codes — solving this case of the HSP requires rich, entangled measurements. 
Thus, solving these cases of Code Equivalence via Fourier sampling appears to be out of reach of current 
families of quantum algorithms. 

Code equivalence is directly related to the security of McEliece-type cryptosystems in the case where 
the private code is known to the adversary. However, for many codes the support splitting algorithm of 
Sendrier provides a classical attack in this case. We revisit the claims of our previous article in the light 
of these classical attacks, and discuss the particular case of the Sidelnikov cryptosystem, which is based 
on Reed-Muller codes. 



1 Introduction 

Code Equivalence is the problem of deciding whether two matrices over a finite field gene rate equivalent lin- 
ear co des, i.e., codes that are equal up to a fixed permutation on the codeword coordinates. Petrank and Rothl 
II 199711 showed that Code Equivalence is unlikely to be N P-complete, but is at least as hard as Graph Iso- 
morphism. We consider a search version of Code Equivalence: given generator matrices M and M' for two 
equivalent linear q-axy codes, find a pair of matrices (S,P), where S is an invertible square matrix over ¥ q 
and P is a permutation matrix, such that M' = SMP. 

Code Equivalence has an immediate presentation as a hidden subgroup problem, suggesting that one 
might be able to develop an effici ent quantum algorithm for it via the quantum Fourier transform. In our 
previous article IIDinh et all 1201111 . however, we showed that under natural structural assumptions on the 
code, the resulting instance of the hidden subgroup problem requires entangled measurements of the coset 
state and, hence, a ppears to be beyon d the reach of current methods. 



We argued in [Di nh et al 



201 lH that our results strengthen the case for the McEliece cryptosystem 
as a candidate for post-quantum cryptography — a cryptosystem that can be implemented with classical 
computers, but which will remain secure even if and when quantum computers are built. In this note, 
we revisit this statement in light of Sendrier's support splitting algorithm (SSA), which finds the hidden 
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permutation P for many families of codes. In particular, the SSA implies that the McEliece cryptosystem 
based on Goppa codes is classically insecure when the private code is known. We also observe that our 
results apply to Reed-Muller codes and thus to a natural quantum attack on the Sidelnikov cryptosystem. 



2 Ramifications for McEliece-type cryptosystems 



The private key of a McEliece cryptosystem is a triple (S,M,P), where S is an invertible matrix over ¥ q , 
P is a permutation matrix, and M is the generator matrix for a q-ary error-correcting code that permits 
efficient decoding. The public key is the generator matrix M' = SMP. If both M and M' are known to an 
adversary, the problem of recovering S and P (the remainder of the secret key) is precisely the version of 
Code Equivalence described above. If M and M' have full rank, then given P we can find 5 by linear algebra. 
Thus the potentially hard part of the problem is finding the hidden permutation P. 



We call an adversary apprised of both M and M' a known-code adversary. In our recent article IIDinh et al. 



201111 . we noted that our results on Goppa codes imply that the natural quantum attack available to a known- 
code adversary yields hard cases of the hidden subgroup problem, and asserted that this should bolster our 
confidence in the post-quantum security of the McEliece crypto system. 

However, the classical support splitting algorithm (SSA) of ISendrier can efficiently solve Code 

Equivalence for Goppa codes, and many other families of codes as well. (In additio n, Goppa codes of hig h 
rate can be distinguished from random codes, opening them to additional attacks BFaugere et all I2010I1 .) 
Thus for McEliece based on Goppa codes, the known-code adversary is too powerful: it can break the 
cryptosystem classically. Therefore, the hardness of the corresponding instances of the HSP has little bearing 
on the post-quantum security of the McEliece cryptosystem, at least for this family of codes. 

The situation is similar in many ways to the status of Graph Isomorphism. There is a nat ural reduction 
from Graph Isomorp h ism to the HSP on the symmetric group, but a long series of results (e.g JHailgren et al. 
lboidl . lMooreetal.1 koidn have shown that the resulting instances of the HSP require highly-entangled 
measurements, and that known families of such measurements cannot succeed. Thus the miracle of Shor's 
algorithms for factoring and discrete log, where we can solve these problems simply by looking at the 
symmetries of a certain function, does not seem to apply to Graph Isomorphism. Any efficient quantum 
algorithm for it would have to involve significantly new ideas. 

On the other hand, many c ases of Graph Iso morphism are easy c lassically, in cluding graphs with 
bounded eigenvalue multiplicity IIBabai et al.L I1982TI and constant deg ree |Luks L 19821- Many of these clas 



sical algorithms work by finding a canonical labeling of the graph I Babai . 1980l. Babai and Luks . 1983 1. 



giving each vertex a unique label based on local quantities. These labeling schemes use the details of the 
graph, and not just its symmetries — precisely what the reduction to the HSP leaves out. Analogously, the 
support splitting algorithm labels each coordinate of the code by the weight enumerator of the hull of the 
code punctured at that coordinate. For most codes, including Goppa codes, this creates a labeling that is 
unique or nearly unique, allowing us to determine the permutation P. 

There are families of instances of Graph Isomorphism that defeat known methods, due to the fact that no 
local or spectral property appears to distinguish the vertices from each other. In particular, no polynomial- 
time algorithm is known for isomorphism of strongly regular graphs. (On the other hand, these graphs are 
highly structured, yieldin g canonical-label ing algorithms that, while still exponential, are faster than those 
known for general graphs llSpielmanl . 1 1 99611 . ) In the same vein, we might hope that there are families of codes 
where the coordinates are hard to distinguish from each other using linear-algebraic properties. In that case, 
the corresponding McEliece cryptosystem might be hard classically even for known-code adversaries, and 
the reduction to the HSP would be relevant to their post-quantum security. 
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Along these lines, ISidelnikovl 111 99411 proposed a variant of the McEliece cryptosystem using binary 
Reed-Muller codes. Since there is a single Reed-Muller code of given rate and block length, the code 
M is known to the adversary and the security of the system is directly related to the Code Equivalence 
problem. Additionally, since Reed-Muller codes are self-dual, they coincide with their hulls so that the 
weight enumerators used by the SSA are exponentially large, making them resistant to that classical attack. 
There are also extremely efficient algorithms for error correction in Reed-Muller codes, suggesting that large 
key sizes are computationally feasible. 

We observe below that the results of iDinh et al.l 1201 111 apply directly to Reed-Muller codes, and thus 
frustrate the natural quantum Fourier sampling approach to the corresponding instances of Code Equiva- 
lence. As virtually all known exponential speed-ups of quantum algorithms for algebraic problems derive 
from Fourier sampling, this suggests that new ideas would be necessary to exploit quantum computing for 
breaking the Sidelnikov system. 

On the other hand, a classical algorithm of Minder and Shokrollahil 1200711 solves the Code Equivalence 
problem for binary Reed-Muller codes in quasipolynomial time, at least in the low-rate setting where Reed- 
Muller codes have the best performance, yielding a direct attack on the Sidelnikov system. 



3 Quantum Fourier sampling for Code Equivalence and Reed-Muller codes 



We say a linear code M is HSP-hard if strong quantum Fourier sampling, or more generally any measurement 
of a coset state, reveals negl i gible information about the permutation between M and any code equivalent 
to M. (See e.g. iMoore et al. [2008] for definitions of the coset state and strong Fourier sampling.) If M is 
a q-aiy [«,fc]-code, its automorphism group Aut(M) is the set of permutations P G S n such that M = SMP 
for some invertible k x k matrix S over ¥ q . Recall that the support of a permutation % G S n is the number of 
points that are not fixed by %, and the minimal degree of a subgroup H C S n is the smal l est su pport of any 
non-identity % G H. The following theorem is immediate from Corollary 1 in lDinh et all 1201111 : 

Theorem 1. Let M be a q-ary [n,k]-linear code such that < n 02n . If |Aut(M) | < e°W and the minimal 
degree of Aut(M) is Q.{n), then M is HSP-hard. 

We apply Theorem[T]to binary Reed-Muller codes as follows. Let m and r be positive integers with r < m, 
and let n = 2 m . Fix an ordered list (a,\ , . . . , a n ) of all 1 m binary vectors of length m, i.e., W™ = {cCi, . . . , a n }. 
The r th -order binary Reed-Muller code of length n, denoted RM(r,m), consists of codewords of the form 
(f((Xi), . . . ,f(a n )), where / G F2[Xi, . . . ,X m ] ranges over all binary polynomials on m variables of degree at 
most r. The code RM (r,m) has dimension equal to the number of monomials of degree at most r, 

m 



If r < 0. 1 m then k < r( £J < r2 0Alm , 



To apply TheoremCD we first need to choose r such that k < 0.2 m2" 
and k 2 < Q.2m2 m for sufficiently large m. 

Next, we examine the automorphism group o f the Reed-Muller codes. Let GL m (F?) denote the s et of 
invertible m x m matrices over F2. It is known I Sidelnikov . 1994 . Mac Williams and Sloand . 197 8ll that 



Aut(RM (r,m)) coincides with the general affine group of the space F' 2 ". In other words, Aut(RM (r,m)) 
consists of all affine permutations of the form o A n (x) =Ax + fi where A G G L m (F2 ) and jS G F: 
size of Aut(RM(r,m)) is 



2 . Hence the 



|Aut(RM(r,m))| = |GL m (F 2 )| • |F'^| < 2" 



20(log 2 n) < g o(n)_ 
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Finally, we compute the minimal degree of Aut(RM (r,m)) as follows. 



Proposition 2. The minimal degree of Aut(RM(r,m)) is exactly 2 



m—l 



■ n/2. 



Proof. The minimal degree is at most 2 m ~ l , since there is an affine transformation with support 2 m . For 
example, let A be the m x m binary matrix with Is on the diagonal and the (l,ra) -entry and Os elsewhere. 
Then Ga.o fixes the subspace spanned by the first m — l standard basis vectors. Its support is the complement 
of this subspace, which has size 2 m . 

Conversely, if G A ,p fixes a set S that spans F' 2 " , then o^./j must be the identity. To see this, let xq G S and 
consider the translated set S' = S — xq. Then Ay = y for any y £ S' , since 

y+x = <T A J3 (y + x Q ) =Ay + G A p (x ) = Ay + x Q . 

If S spans Fj then so does S', in which case A = 1. Then j8 = 0, since otherwise Ojn doesn't fix anything, 
and Gtfi is the identity. 

Moreover, any set S of size greater than 2"'~ 1 spans F 2 . To see this, let 6 be a maximal subset of 5 
consisting of linearly independent vectors. Since B spans S, we have |5| < 2l*L Thus if \S\ > 2"- 1 we have 
\B\ = m, so B and therefore 5 span F' 2 " . Thus no nonidentity affine transformation can fix more than 2 m_1 
points, and the minimal degree is at least 2" ! ~ 1 . □ 

We have proved the following: 

Theorem 3. Reed-Muller codes RM(r,m) with r < 0.1m and m sufficiently large are HSP-hard. 

In the original proposal of Sidelnikovl 1 1994 1. r is tak en to be a small constant, whe re the Reed-Muller 



codes have low rate. It is worth noting that the attack of Minder and Shokrollahil 0200711 becomes infeasible 
in the high-rate case where r is large, due to the difficulty of finding minimum-weight codewords, while 
Theorem [3] continues to apply. However, as those authors point out, taking large r degrades the performance 
of Reed-Muller codes, and presumably opens the Sidelnikov system to other classical attacks. 
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